SOC Analyst - Level 2

About The Position

Requirements

• 2–5 years of experience in a SOC, Incident Response, or equivalent hands-on blue team role.
• Demonstrable experience handling real security incidents end-to-end with a strong understanding of SOC workflows, escalation paths, and on-shift discipline.
• Strong understanding of cybersecurity concepts including endpoint, network, identity, and cloud security.
• Solid grounding in MITRE ATT&CK and its operational application in investigations.
• Hands-on experience with at least one modern SIEM (Microsoft Sentinel, Elastic SIEM, OpenSearch, or similar) and at least one EDR solution (Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, or similar).
• Working knowledge of identity and cloud telemetry (Entra ID, Office 365, AWS/Azure logs).
• Proficiency in KQL is required; additional query languages such as SPL or OpenSearch DQL are a plus.
• Basic scripting in Python or PowerShell for automation and enrichment.
• Strong investigative mindset with the ability to pivot across data sources and build timelines.
• Clear written communication suitable for customer-facing reports.
• Ability to remain calm under pressure during live incidents and shift transitions.
• Team-oriented with a willingness to mentor and continuously learn.
• Bachelor’s degree in Cybersecurity, Information Technology, Computer Science, or a related field (or equivalent practical experience).

Nice To Haves

• Exposure to SOAR platforms (Cortex XSOAR, Shuffle, Tines), threat intelligence platforms (MISP, OpenCTI), malware analysis or sandboxing tools (Any.Run, Joe Sandbox, Cuckoo), network detection tools (Zeek, Suricata), and cloud security experience across Azure, AWS, or GCP.
• Certifications such as BTL1, CySA+, GCIH, Microsoft SC-200, or CompTIA Security+ are considered a plus.

Responsibilities

• Perform advanced triage of alerts escalated from L1, determining true vs false positives.
• Investigate security events across endpoint, identity, network, and cloud telemetry.
• Correlate events and map adversary behavior to MITRE ATT&CK while enriching findings with relevant threat intelligence context.
• Execute or coordinate containment actions including host isolation (EDR), account disablement (Entra ID / IAM), and blocking indicators such as IPs, domains, or hashes.
• Partner with Incident Response teams on high-severity or multi-system incidents and document actions, timelines, and evidence with a clear chain of reasoning.
• Conduct hypothesis-driven threat hunting across endpoint, identity, and cloud datasets, particularly during evening shifts and on rotation.
• Convert hunt findings into new detections or tuning recommendations and maintain proper documentation of hunts and derived detections.
• Provide structured feedback to Detection Engineering on false positives, detection gaps, and tuning opportunities.
• Validate new detection rules (Sigma, KQL, SPL, or equivalent) before production rollout and contribute to playbook authoring and continuous improvement.
• Produce clear, complete incident reports suitable for both technical and non-technical stakeholders.
• Track and support SLA metrics including MTTD, MTTR, and MTTC.
• Participate in structured shift handovers and post-incident reviews.
• Collaborate closely with internal teams including Detection Engineering, Incident Response, and Threat Intelligence.
• Mentor L1 analysts on triage quality and investigation techniques, and contribute to internal knowledge bases and lessons-learned sessions.

Benefits

• Shift allowances apply for evenings, nights, weekends, and public holidays.
• Market competitive salary based on experience & qualifications.